Restrict NTP access

Answered Question
Oct 2nd, 2007
User Badges:

We have an edge router running NTP and I would like to restrict access to allow this router to sync to a remote time server.


If the remote ntp server is 1.2.3.4

and my router is 6.7.8.9


would this work:


access-list 20 permit 1.2.3.4

access-list 20 deny any

ntp access-group serve-only 20

Correct Answer by Richard Burts about 9 years 5 months ago

Richard


Thanks for posting back and indicating that my suggestions worked as expected. It makes the forum more useful when people can read a question and can find confirmation that the ideas suggested were implemented and did work.


I am glad to see that you are a regular participant in the forum.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Richard Burts Tue, 10/02/2007 - 08:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


If you want to restrict where the router can learn time then I believe that you need ntp access-group peer 20. The access-group serve-only controls who can query the router as an NTP server.


Also in my experience if you are going to use the ntp access-group I find that it is best to define both peer access-group and serve-only access group. Using the one to restrict where you can learn with using the other has the effect of not allowing anyone to learn time from this router.


HTH


Rick

wilson_1234_2 Tue, 10/02/2007 - 08:22
User Badges:

Thanks rick,


What I was looking for was more to restrict who has access to the router as a time server.


There was a penetration test done and they flagged the edge routers as able to access them and view the information.


The internal routers are not learning from the edge routers, but , maybe the should be?


Should I still use the "peer" "server-only" controls?



Richard Burts Tue, 10/02/2007 - 08:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


If you need to respond to the results of the penetration test which reported that they could access the edge router then I would think that the ntp access-group serve-only would restrict their access.


As I said, in my experience using just one of the access-group commands can have unintended consequences. So I would advise you to use both. Without knowing more about your network environment it is hard to give good advice. But I believe that it frequently is best to have edge routers learn time from an Internet source and then to have other network devices learn time from the edge router(s). So I would be very inclined to advise that the internal routers should learn time from the edge router. Where are they currently learning time?


HTH


Rick

wilson_1234_2 Tue, 10/02/2007 - 09:35
User Badges:

I appreciate your reply.


There is a router that sits on the edge of the MPLS network that is configured to a differnet external time source than the two edge routers.


This MPLS router is the time source for everything else in the internal network.


The two edge routers are configured separately and nothing is pointing to them.


Richard Burts Tue, 10/02/2007 - 09:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


It would be ok to just leave the network devices learning time from the MPLS router. But I would suggest that there would be advantages in configuring the internal network devices to have both the edge routers as well as the MPLS router as NTP servers. The main advantage is in providing redundancy. If for some reason the MPLS router lost its sync with its time source the internal network devices would have no source of NTP time. I faced that situation at a customer site a while back. Due to some things going on externally we lost sync with our preferred NTP source and discovered real advantage in having a backup NTP source.


If there are more than 1 NTP servers configured there is an algorithm in NTP tp choose the one to sync with. If you prefer that they continue to use the MPLS router when it is available there is an option in configuring Cisco routers and switches to identify the preferred server.


HTH


Rick

Correct Answer
Richard Burts Tue, 10/02/2007 - 11:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


Thanks for posting back and indicating that my suggestions worked as expected. It makes the forum more useful when people can read a question and can find confirmation that the ideas suggested were implemented and did work.


I am glad to see that you are a regular participant in the forum.


HTH


Rick

wilson_1234_2 Tue, 10/02/2007 - 11:46
User Badges:

Thanks for the reply.


I appreciate this forum very much.


It is very useful to have access to knowledge and experience you all have.


I have learned a great deal here.


I answered a question and have 5 points now, so watch out(actually it was just pointing someone to another post).


Thanks.



Actions

This Discussion